Quotes in SQL-strings? - Level Extreme

Plateforme Level Extreme

Abonnement

Profil corporatif

Produits & Services

Support

Légal

English

Quotes in SQL-strings?

Message

22/05/2007 09:11:50

Olaf Doschke
Setmics
Hamburg, Allemagne

22/05/2007 06:52:19

Kjell Svedlund
Karolinska University Hospital
Stockholm, Suède

Information générale

Forum:

Visual FoxPro

Catégorie:

Codage, syntaxe et commandes

Titre:

Re: Quotes in SQL-strings?

Versions des environnements

Visual FoxPro:

VFP 9 SP1

OS:

Windows XP

Network:

Windows 2003 Server

Database:

MS SQL Server

Divers

Thread ID:

01227570

Message ID:

01227602

Vues:

>Hallo.
>Hope I can explain my problem.
>When I'm sending a command to the SQL-server, I make a string with single or double quotes (chr(39) or chr(34)).
>But if the user uses a quote in his searchcondition, the string will be corrupt. How do I deal with quotes in the searchconditions to avoid those problem.
>
>Example:
>Lets say that the user is looking for a monitor 14".
>

>=SQLEXEC(nHandle,"select *  from sqltable where field='monitor 14"' ","Result")
>

>This will not work as you see.
>
>/Kjell

"...."..." does not work as a string literal, but you can have ",' and [] in a string, no problem. Delimiters are just needed for source code/string literals, but a string var does not contain the outer delimiters, so anything can be inside a string var, in vfp strings even chr(0), which would terminate a C string.

So input of 14" monitor is no problem, if you create that sql string with:

lcSQL = "select *  from sqltable where field='"+userinput+"'"

The problem with that would rather be userinput including a single quote, like O'Neil, SQL Server would not be able to parse that SQL. On the VFP side every input would be fine.

So if you create the sql string, you just need to make sure the userinput does not contain singel quates. There is a way to include these and search for 1'20" monitors: double the single quote, like Naomi said. Then there should be no carriage return and line feed in the string.

So a way to process the userinput would be:

userinput = alltrim(thisform.inputtextbox.value)
userinput = strtran(userinput,"'","''")
userinput = chrtran(userinput,chr(13)+chr(10),space(0))

You could still run into problems with other special chars a user might input. By pressing ALT+3digits you can input quite anything even into a textbox, where you would not expect a carriage return.

So even more failsafe would be a parameterized sql, which means a placeholder in a constant sql statement string and additional automatic passing of parameters as their type, no conversion problems, no parsing problems:

userinput = alltrim(thisform.inputtextbox.value)
* no other processing needed!
SQLEXEC(nHandle,"select * from sqltable where field=?userinput","Result")

This compares to Borislav's even better example. SQLEXEC then passes that sql string and the variable userinput seperately and SQL server would need to parse the variable name only, then look up the string from that passed var.

Bye, Olaf.

Répondre

Fil

Voir

Click here to load this message in the networking platform